By default, WordPress makes certain user information publicly available. While this was intended to support features like author archives and app integrations, it also means your admin usernames may be easier to find than you’d like.
The good news: this isn’t a hack, and it’s simple to fix. In this guide, you’ll learn how usernames become visible, why it matters, and how to block user enumeration in just a few minutes.
The Issue: WordPress Usernames Are Public by Default
WordPress includes a REST API and other features that can reveal usernames. These endpoints are useful for developers, but they’re not always ideal for site security.
Common Ways Usernames Are Exposed
yoursite.com/wp-json/wp/v2/users
(REST API list of users)yoursite.com/?author=1
(redirect reveals username)- Author archive pages at
yoursite.com/author/username/
- RSS feeds and post metadata
- Login error messages that specify “invalid password”
Why It Matters
If usernames are easy to find, attackers can skip guessing and focus on password attempts. Even with strong passwords, it’s better to reduce the information that’s exposed. Blocking user enumeration adds another layer of protection without disrupting your site.
The Fix: Block User Enumeration
You don’t need to disable the entire REST API or install a heavy plugin. A lightweight snippet will block username exposure while leaving everything else working as expected.
Method 1: Use a Code Snippet Plugin (Recommended)
A plugin like WPCodeBox or Code Snippets makes this quick and update-safe.
- Install your preferred code snippet plugin
- Add a new snippet called “Block User Enumeration”
- Paste in the code below and set it to run everywhere:
// Restrict REST API user enumeration
add_filter('rest_endpoints', function($endpoints) {
if (!current_user_can('list_users')) {
unset($endpoints['/wp/v2/users']);
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
}
return $endpoints;
});
// Block ?author= queries
add_action('template_redirect', function() {
if (isset($_GET['author']) && !is_admin()) {
wp_redirect(home_url());
exit;
}
});
// (Optional) Redirect author archive pages
add_action('template_redirect', function() {
if (is_author()) {
wp_redirect(home_url());
exit;
}
});
- Save and activate the snippet
Method 2: Add to Functions.php (Not Ideal)
You can also paste the same code into your theme’s functions.php
. Just remember that if you switch or update themes, the code will be lost — which is why snippet plugins are the safer option.
Special Note for WooCommerce Sites
WooCommerce relies heavily on the REST API for payments, subscriptions, and integrations. The snippet above only blocks user-related endpoints, so all store functions continue to work normally.
Testing Your Fix
After adding the snippet, test these quick checks:
- REST API: Visit
yoursite.com/wp-json/wp/v2/users
→ should return an error or empty response. - Author parameter: Visit
yoursite.com/?author=1
→ should redirect to your homepage. - Author archives: Visit
yoursite.com/author/username/
→ should redirect if you enabled that option. - Site features: Test forms, orders, and integrations to confirm everything still works smoothly.
Beyond User Enumeration: Other Security Best Practices
Blocking usernames is one piece of the puzzle. For stronger overall security, also consider:
- Authentication: Unique, complex passwords + two-factor authentication (2FA)
- Login protection: Limit login attempts, consider changing
/wp-admin
URL - Maintenance: Keep WordPress, themes, and plugins updated; schedule backups
- Server security: Use HTTPS, proper file permissions, and firewall protection
Why WordPress Allows This by Default
WordPress prioritizes flexibility. Many sites (like blogs or magazines) want author archives and public user info. Rather than disable it globally, WordPress leaves it to site owners to decide what’s appropriate. That’s why it’s worth taking a few minutes to lock things down for your use case.
Conclusion
Usernames don’t need to be public. With a short snippet, you can:
- Block unnecessary exposure
- Reduce brute-force risks
- Protect your team’s privacy
- Keep your site running normally
Security isn’t about fear — it’s about layers of protection. This simple fix strengthens your WordPress site today and gives you peace of mind going forward.
Need help with security or ongoing site care? Cinch Web Services includes proactive hardening, backups, and updates in every plan — so you can focus on running your business while we keep WordPress secure.